FIX: do not allow unbound membership lookups

FIX: do not allow unbound membership lookups

Previously we would allow looking up membership limits in an unbound way via the API, this introduces an upper limit of 1000 per page.

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 0a467fb..95c982c 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -211,6 +211,10 @@ class GroupsController < ApplicationController
       raise Discourse::InvalidParameters.new(:limit)
     end
 
+    if limit > 1000
+      raise Discourse::InvalidParameters.new(:limit)
+    end
+
     if offset < 0
       raise Discourse::InvalidParameters.new(:offset)
     end
diff --git a/spec/requests/groups_controller_spec.rb b/spec/requests/groups_controller_spec.rb
index 83acf88..6e6ae84 100644
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@@ -351,6 +351,9 @@ describe GroupsController do
 
       get "/groups/#{group.name}/members.json?offset=-1"
       expect(response.status).to eq(400)
+
+      get "/groups/trust_level_0/members.json?limit=2000"
+      expect(response.status).to eq(400)
     end
 
     it "ensures the group can be seen" do

GitHub sha: 704c5795

2 Likes